Tabnabbing:Email & Online Banking Vulnerabilities and Countermeasures

In many of my post I have pointed out the concept of  "Phishing" in  Email hacking,where the attacker sends a fake/spoof  login page to the victim having manipulated the url to create some sort of illusion.Few months back "Aza Raskin" the Creative Lead  of Mozilla Firefox describes  a new form of  Phishing attack called "Tabnabbing" which manipulates the Tab browsing  of the users.

 What is Tabnabbing?

I feel  you can guess the work it does from its name,Tab means "the different windows attached to the same browser" and Nabbing means "to seize something forcefully".In the same way  for Tabnabbing ,when the user has opened up multiple tabs in the browser and after sometime comes back to one of the earlier opened tab then he/she finds that the content,title,favicon of that tab has changed to a login page of any email account or bank  login page....lol.Apart from  manipulating the tabs of the browser the attacker manipulates the memory of the victim because if the user does not remember what  website he/she had open in that tab then  he/she would login to that fake page thinking that it was open by him/her.....lol.

Check out the video to see the demo.



A New Type of Phishing Attack from Aza Raskin on Vimeo.


How does it works?

The main concept behind this is that  the attacker puts a Javascript in the pagesource code which waits for a certain period of delay and then  changes its favicon,title and content.It is more evil if it the script is intelligent enough which means it detect which sites the user visits normally and then accordingly switch to that site using tabnabbing.


Why is online banking is more vulnerable to this?

In online banking you must have noticed that  if you have logged in to the official page and left it idle for few minutes then it is automatically logged out.Due to this feature Tabnabbing is very  handy in attacking users of online banking beacause the users feel that  he/she would have logged in to the bank account and the session has expired.

CounterMeasures:
 I would recommend Mozilla Firefox browser for web access because it has many security addons which are very handy and easy to use.

1.WOT:Marks the websites with colour and warns the users.(Download)

2.NoScript:This addon protects from XSS,IFrames,ClickJacking,stops Javascript.(Download)

3.Safe:Makes SSL  and extended SSL moree visible to user.(Download)

4.Secure Login:It has a feature to enable or disable Javascript and manages the password manger of Mozilla.(Download)

5.PhishTankSiteChecker:It warns the user about a phish attack.(Download)

6.Close all the browser tabs and web based applications that uses browser cache when using online banking.

7. You can also use some Linux Live CD to access internet while using online banking.

Source:http://www.azarask.in/

If you find this post worthy  to read  do post a comment , it will be appreciated.

IF YOU FIND THIS BLOG WORTH READING THEN DO "VOTE" FOR IT........Click here to Vote!
Tabnabbing:Email & Online Banking Vulnerabilities and Countermeasures Tabnabbing:Email & Online Banking Vulnerabilities  and Countermeasures Reviewed by Satyajit (Admins,a.k.a Satosys) on Tuesday, July 20, 2010 Rating: 5

7 comments:

Shabnam Sultan said...

I will be more alert while accessing online banking.

I use FF do i still need to fear about phishing attacks :)

Satyajit (Admins,a.k.a Satosys) said...

@Shabnam actually mozilla firefox is the safest browser due to the addons it has....but it is does not make you hack proof.....your privacy can still can be manipulated....but you can avoid that to some extent by staying vigilant....while accessing net....thnks for visiting.... :)

Shekhar Sahu said...

you are paying good efforts to your blog, Please take my suggestion, without any loss of time get a domain name soon.

Satyajit (Admins,a.k.a Satosys) said...

@Shekhar thanks for your suggestion...i was also thinking that......anyways thanks for visiting..... :)

Unknown said...

wow man..good info about tab nabbing..!! tnx a lot

Satyajit (Admins,a.k.a Satosys) said...

Hey Suresh thanks for visiting....

Ayush said...

Grt info keep sharing...

Powered by Blogger.